U.S. regulators issue guidelines for banks safekeeping crypto

The Federal Reserve Board, Federal Deposit Insurance Corp. (“FDIC”) and the Office of the Comptroller of the Currency (“OCC”) issued on Monday a joint statement that outlines considerations for banks that provide custody of crypto assets for their customers, or other services for safekeeping of crypto.

The statement discussed how existing laws, regulations and risk-management principles apply to crypto safekeeping but doesn’t create any new supervisory expectations, the regulators said. The Fed, FDIC, and OCC define “safekeeping” as the service of holding an asset on a customer’s behalf for the purposes of the statement.

An effective risk assessment would consider such things as the banking organization’s (1) core financial risks given the strategic direction and business model; (2) ability to understand a complex, evolving, and potentially unfamiliar asset class, including by keeping abreast of industry leading practices; (3) ability to ensure a strong control environment; and (4) contingency plans to address any unanticipated challenges in effectivelyproviding services.

The statement emphasizes that banks must follow the same laws as other banking activities, including the Bank Secrecy Act/anti-money laundering, countering the financing of terrorism, and Office of Foreign Assets Control requirements. Those laws and regulation require that financial institutions verify customer identity, perform due diligence on the nature and purpose of the customer relationship, perform ongoing monitoring to identify and report suspicious activity, block transactions in accordance with OFAC sanctions, and follow the “Travel Rule.”

“The design features of distributed ledger technology may present challenges for achieving or maintaining compliance with certain of these requirements if compliance depends on review of the identifying information (for example, name and address) related to a transaction,” the statement said.

In addition, banks need to take the actions to understand the benefits and risks of using third-party custodians. “Appropriate risk management may include analyzing the potential treatment of customer assets held at the sub-custodian in the event of insolvency or operational disruptions and evaluating the appropriateness of the sub-custodian’s risk management and record-keeping practices,” the regulator said, among other considerations.

Throughout the statement, the regulators remind banks that safekeeping crypto assets means that they’ll need to stay abreast of evolving technology in the sector.

Audits are key to an effective risk management and internal control systems, the statement said. “A crypto-asset safekeeping audit should address the nuances of crypto-assets, including an assessment of cryptographic key generation, storage, and deletion; controls related to transfer and settlement of customer assets; and the sufficiency of relevant information technology systems.”